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1. Introductions and apologies 


1.1. Apologies were received from Elizabeth Denham. Ailsa 
Beaton welcomed Jayne Scott, new Independent Audit 
Committee Member, to the Committee. 


1.2. The Committee acknowledged and thanked Elizabeth Denham 
for her work and support in bringing audit and risk forward 
within the ICO during her time as Commissioner. 


2, Declaration of interests 


2.1 There were no declarations made. 


3. Matters arising from the previous meeting 


3.1 


The minutes from the previous meeting were agreed. 


4. Deputy Chief Executive Officer’s update 


4.1 


4.2 


4.3 


4.4 


Paul Arnold provided an update on matters relating to the 
ICO’s work including the strategic agenda for the organisation 
and highlighted the recent government consultations that the 
ICO have recently been involved in. 


He confirmed that work is progressing well on the transition to 
the new Commissioner. He explained that there will be a 
brief period in December when there will no Commissioner 
however it was confirmed that the legislation allows for this 
and the responsibilities will be delegated, including those of 
the Accounting Officer. Management Board will be reviewing 
the Scheme of Delegation at their meeting in October to 
ensure that leadership and accountability for the period 
between the two commissioners is covered appropriately. 


Paul Arnold thanked Louise Byers for the work she has been 
doing whilst stepping into the role of Director of Finance. The 
new Director of Finance, Angela Donaldson, will be starting on 
Monday 25 October and Louise will be providing support and 
stepping back into the role of Director of Risk and 
Governance. 


The Committee acknowledged that a new Commissioner will 
have an impact on the organisation, both internally and 
externally. 


5. Operation Chandra update and alignment with NAO 


5.1 


5.2 


5.3 


“Principles of good regulation” report. 


Louise Byers presented the report setting out an analysis of 
the principles of good regulation and highlighted where there 
is alignment with the DCMS consultation. 


She confirmed that the ICO have already been implementing 
the good practice outlined in the report when producing our 
guidance. 


The committee discussed the potential contradiction between 
the proposals in the DCMS consultations to potentially reduce 
volumes of “lower-level” complaints, and the “citizen-focused” 
principle in the NAO report. It was confirmed that there is a 
need to ensure that complaints received are focused on data 


protection complaints rather than poor customer service 
complaints against organisations. This will then allow 
resources to focus on complaints with the highest risks to the 
data protection rights. The Committee asked whether NAO 
had identified any areas where the consultation did not align 
with their good practice principles. . Robert Buysman 
explained that he had put the ICO’s consultation response 
team in touch with the authors of the NAO report, and agreed 
to discuss with DCMS, should the opportunity arise. 


6. Annual Report lessons learned 


6.1 


6.2 


Louise Byers presented the report outlining the lessons 
learned from the Annual Report 2020/21. She confirmed that 
strong relationships had been built between the ICO and NAO 
and it was a positive process, however some areas on the 
finance side were identified that can be improved. 


There is now a need to onboard Deloitte and also to ensure 
that the new Commissioner is aware of the annual report 
process and the role of the Accounting Officer in approving 
the report. . 


7. Finance 


7.i 


7.2 


7.3 


7.4 


Depreciation Policy 


Louise Byers presented the report asking the Committee to 
approve the implementation of the recommendation regarding 
depreciation from the 2020-21 audit undertaken by the 
National Audit Office. 


The Committee agreed to implementing the recommendation 
outlined in the report to bring the ICO in line with the 
regulations. 


Trust Statement 


Louise Byers presented the report outlining the 
recommendation not to include a Trust Statement in the 
2021/22 Accounts and to continue to provide an enhanced 
disclosure in the accounts. 


The Committee agreed with the recommendation outlined in 
the report to continue to include an enhanced disclosure in 
our accounts of the collection, write off and costs of our fines, 
as per the 2020/21 Annual Report. 


7.5 


7.6 


August 2021 income and expenditure report 


Louise Byers provided an update on the mid-year financial 
position. A report will be considered by Resources Board this 
week. A potential surplus has been identified which may be 
used to fund additional business cases. 


The Committee discussed the current income levels and noted 
the importance of considering this alongside the potential new 
duties for the ICO in the data protection reform consultation. 


8. Risk & Opportunity Management 


8.1 


8.2 


8.3 


8.4 


8.5 


8.6 


Corporate Risk Update 


Joanne Butler presented the report outlining the key changes 
to the risk register since the last meeting. 


The Committee discussed the reduction in the compliance 
culture risk and asked, while there was strong evidence of the 
controls being in place, whether there was sufficient evidence 
that the controls and processes are being adhered to support 
the reduction of the risk score. Joanne Butler agreed to review 
the risk score. 


Corporate Risk Register annual report 


The report provides the Committee with a reflection of the 
changes to the risk register in the past 12 months. 


Jo Butler highlighted that the Risk & Governance Board had 
considered the report and commissioned further work to 
ensure that the mitigating actions are providing the correct 
controls to address the level of the risk to meet target risk 
scores. This aim was to complete this work in time for the 
December Management Board meeting. 


The Committee discussed the possibility of more than one risk 
emerging at the same time. It was confirmed that the 
business continuity response plan looks at all types of events 
either separately or consecutively and the risk update 
templates considers interdependencies of risks and risk 
indicators. 


Risk deep dive: ransomware and similar risks 


Alan McGann joined the meeting to present the ransomware 
deep dive providing a summary of the arrangements in place 


8.7 


8.8 


and work being carried out to mitigate the risk of ransomware 
threats or similar. 


It was confirmed that we are in a strong place with regard to 
controls and work is being undertaken to focus on recovery 
and the development of a ransomware playbook. The 
playbook will include a decision tree which will have been 
agreed by management to ensure that decisions can be made 
as quickly as possible when an incident occurs. 


The Committee were very supportive of this work and agreed 
that all relevant staff should be involved in this area of work 
with additional training and communications carried out 
across the organisation. 


9. Internal Audit 


9.1 


9.2 


9.3 


Peter Cudlip presented the progress report and confirmed that 
the work is on track. 


Darren Jones presented the Financial Recovery report which 
had a finding of Substantial Assurance. 


The Committee were pleased with the audit finding of 
substantial assurance and thanked all the teams involved in 
the audit for their hard work in ensuring such a good result 
and implementing the recommendation so quickly. 


Action: Corporate Governance to pass on the thanks of 
the Committee to the teams involved in the Fines 
Recovery Audit 


10. Outstanding Audit recommendations 


10.1 Chris Braithwaite confirmed that we continue to make good 


progress with the recommendations. Ten actions have been 
cleared since the last meeting including the one action from 
the financial recovery audit. 


10.2 There is currently one late action. The work on this 


recommendation is near completion however has been 
delayed due to illness within the team. 


11. External Audit 
11.1 Robert Buysman highlighted that once the new Director of 


Finance is on board he will arrange a meeting with Angela 


Donaldson and Deloitte. The audit planning report will be 
presented at the next committee meeting. 


12. Overall decision-making governance structure 


12.1 Joanne Butler presented the report providing assurance to the 
Committee on the overall structure. 


12.2 It was suggested that further clarity of the role of the 
regulatory panel be provided, especially with regard to the 
terminology around the panel being independent. 


Action: Wording relating to the Regulatory Panel to be 
reviewed to increase clarity. 


13. Security Report 


13.1 It was confirmed that there have been no significant incidents 
over the first half of the financial year. 


13.2 There was a spike in June however we have been unable to 
pinpoint the reason for this. There are no issues to be overly 
concerned about and we will continue to review and report 
any significant issues in the future. 


14. Fraud and Whistleblowing Report 
14.1 There were no issues raised with the report. 
15. Single tender contract awards 


15.1 There was one single tender contract award to the BHSF 
Employee Benefits Limited to ensure continuity of benefits to 
staff during the current pandemic situation. 


16. Any Other Business 
16.1 There were no issues raised. 
17. Future internal audit provision proposals 


17.1 Mazars left the meeting prior to the discussion of this item. 


17.2 Joanne Butler presented the report outlining the options for 
future internal audit provision and asked the ARC to consider 
the type of model that the ICO may wish to choose when the 
current provision ends. 


17.3 The paper had previously been considered by the Risk & 
Governance Board and it agreed with the recommendation of 


option 6 to explore further the services provided by the 
Government Internal Audit Agency. 


17.4 The Committee also agreed the recommendation of option 6 
as outlined in the report. 


